Transit Authority Jumps In Front Of Train, Publishes Confidential White Paper

Status
Not open for further replies.

aevm

Distinguished
May 18, 2007
140
0
18,660
Transit companies are already forced to raise prices because oil prices have gone up. If they also have to increase spending on IT security and on lawsuits then fares will go up even more. This hurts poorer people who can't afford cars, and benefits only lawyers.

I think those students should try to find other targets to hack.
 
Though I do agree that they should target something else.

It is there right to publish any information. If the Anarchist Cookbook is legal and protected then explaining a hack should be as well. There is a distinct difference between publishing knowledge and performing an illegal activity.
 

bounty

Distinguished
Mar 23, 2006
121
0
18,630
Yes, everyone should just look away. Then only the dark jedi know this stuff.

You don't need to see his identification. These aren't the vunerabilities you're looking for. You can go about your business. Move along.
 

aevm

Distinguished
May 18, 2007
140
0
18,660
Absolutely. If they can hack the system, kudos to them. They have every right to publish, and if that helps them get good paying jobs in IT somewhere that's great too.

But, once they find a vulnerability, the responsible approach is to tell the company what they've found, give it a month or so to patch it, and only then go public. That way everybody wins. I really hate it when some people find vulnerabilities (especially in browsers or in Windows) and then just make them public right away, with all the details. That enables even brain-challenged script kiddies to cause damage to lots of innocent people before a patch can be produced.
 

Topweasel

Distinguished
Jul 16, 2003
1
0
18,510
What you don't know won't hurt you doesn't work. Even if this hole is used nefariously they might not get sued, but that isn't a good reason to ignore a security hole. It would be like Microsoft suing anyone who finds a security hole, just to say Windows has no holes. Instead they workout an update and ask that the finder of the hole wait till the patch is out in the wild before publishing anything.
 

bounty

Distinguished
Mar 23, 2006
121
0
18,630
And set a deadline, afterwards publish. Since users may be loosing info/getting compromised in the wild and nobody knows about it. (Since it's not published!) The vendor just denies it and therefore can't be heald liable.
 

Floydage

Distinguished
Nov 28, 2006
10
0
18,560
This actually happened a few years ago at Defcon or Blackhat. Can't remember which. Instead of an attack on Transit it was on the UPS store copy cards. Pretty much exactly the same hack, one major difference was you could cash the card out!! The author of the hack ethicly disclosed it and was told by UPS that no such vulnerability existed. fact is sometimes the company just won't addmit to their short sitedness.
 
Status
Not open for further replies.